CVE-2026-54665

June 22, 2026, 6:16 p.m.

6.3
Medium

Description

Apache NiFi 0.0.1 through 2.9.0 support building qualified URLs from one of several HTTP request headers that provide an alternative to the standard Host header without validating the values provided. Apache NiFi 1.6.0 introduced a configurable application property to restrict values provided in the HTTP Host header, but did not apply the validation to alternative Proxy and Forwarded headers. The absence of proxy host header validation allowed a client to instruct Apache NiFi web services to construct invalid qualified URLs for redirection or data references. Upgrading to Apache NiFi 2.10.0 is the recommended mitigation, which implements validation for the X-ProxyHost and X-Forwarded-Host HTTP request headers based on the nifi.web.proxy.host property. Enabling header validation requires configuring the application with HTTPS. Reverse proxy servers in front of Apache NiFi are responsible for filtering input request headers and providing allowed values to the application.

Product(s) Impacted

Vendor Product Versions
Apache
  • Nifi
  • 0.0.1, 1.6.0, 2.9.0, 2.10.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-346
Origin Validation Error
The product does not properly verify that the source of data or communication is valid.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a apache niFi 0.0.1 / / / / / / /
a apache niFi 1.6.0 / / / / / / /
a apache niFi 2.9.0 / / / / / / /
a apache niFi 2.10.0 / / / / / / /

References

https://lists.apache.org/thread/y0yoblon8f6dp00qz5r90cxq5n6g4j6k
http://www.openwall.com/lists/oss-security/2026/06/20/7

Tags

[email protected]
CWE-346
2026-06-22
CVE-2026-54665

CVSS Score

6.3 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: PRESENT
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:L/U:Green

    View Vector String

Timeline

Published: June 22, 2026, 8:17 a.m.
Last Modified: June 22, 2026, 6:16 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.